간략한 협력사 소개

블로그 포스트

백서

WEAK PASSWORDS AND WEB APPLICATION VULNERABILITIES GRANT HACKERS THE KEYS TO 55% OF LARGE NETWORKS, INCLUDING CRITICAL INFRASTRUCTURE

Up to 55% of large organizations have such severe flaws in their IT security perimeter
that a hacker could gain full control of their entire network via the Internet. That’s the
finding of detailed penetration tests carried out by Positive Technologies, a leading
supplier of vulnerability assessment, compliance management and threat analysis
solutions.

Nine in ten of the enterprise-level systems studied by Positive Technologies during 2013
were susceptible to some form of perimeter breach, and in 82% of cases a hacker would
only need a low level of skill to gain access.

For 40% of the organizations, the breach vector was weak passwords, including
dictionary passwords used to secure highly-privileged administrator accounts in over a
third of the networks. Meanwhile web application vulnerabilities such as SQL injection
were found in 93% of the systems we studied and were serious enough to grant full
access to one in three corporate networks.

100% Vulnerable to Internal Attack

All of the organizations tested were at high risk of attack from within. When given the
credentials of a member of staff with the most basic security clearance, our testers were
able to escalate the user’s privileges and gain unauthorized access to critical systems in
every network we studied.

In half of our tests, we needed only basic computing skills to mount an attack from
within, implying that even non-technical employees could pose a threat to security.
When the full range of attack vectors was employed by our specialists, they were able
to exploit low privilege credentials to take full control over 71% of the networks we
studied.

Once again, weak passwords were the most common vulnerability, affecting 92% of
the systems we studied. But 67% of systems demonstrated other weaknesses such
as filtration flaws and service protocol protection issues that can enable hijacking,
redirection of traffic and the storing of unencrypted sensitive data.

Social Engineering Puts Two Thirds of Firms At Risk

Meanwhile, 66% of the organizations we tested were at risk because their own staff
lacked awareness of typical social engineering techniques. More than 20% of employees
who were sent one of our simulated phishing emails attempted to follow a link, enter
their credentials or open an attachment.

The Positive Technologies study included 14 large-scale penetration tests in several
countries carried out during 2013. The enterprises analyzed ranged from oil and
gas producers and banks to government agencies, software manufacturers and
telecommunications firms. We have excluded the results of several other tests where we
were asked to perform only a partial analysis of an organization’s network as it was felt
these results were not representative of overall security levels.